Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Mako templates do not automatically escape HTML or URL content, so any dynamic data rendered in templates must be manually escaped. Failing to do this can result in untrusted input being directly embedded into web pages.
Impact#
If user input is not properly escaped, attackers can inject malicious scripts (XSS) into web pages, potentially stealing user data, hijacking sessions, or defacing the site. This exposes your users and your application to serious security risks.